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TnJheClAinis: 

Please cancel claims 5-8 and 10-12. Please amend claims 1, 4, 12, and 20-21. Please add 



new 



claims 22-29. The claims arc as follows: 



1 , (Currently amended) A method of operating an intrusion detection system for detecting 
mfn.s mn nf a protected networ k attachment according to [[a]] at least one business rule, sjid 

method comprising the steps of: 

awaiting an recurren ce of a n ext update time of the intrusion detection ^stciruMdjicxt 

njidatctimjLbc^ 
js checked; 

responsive lo the occurrence of [[an]] t he next update time, cheeking [[a]] tliemJeasUmc 
validity condition of [[a]] the at least on e business rule to determine whether a provision of artf 
business ru]c_I2f the at least o ne business rule is a newly operative provision that has first b ecome 
oaien.tivc^gojicJntoje 

least one j^lMj'y'^l!^ <" 'east one busi n ess role w as checked, saidjifigdySpfiratiy.S 

p ro : j3i^ ir ^2L!h i '}2.» n n1l t - ra1 inn of an ^" lrusinn set t hat the ntQ2dsk> n applies , to; 

if the checked provision uf U i oUiuJiiUo mfc is [[a]] the newly operative provision that 
nppli^ tn the intrusion set, then altering [[an]] the intrusion set according to the newly operative 
provision. 



2. (Original) The method of claim 1 , wherein the validity condition is a temporal validity 



condition. 
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. (Original) The method of claim 1 , wherein the validity condition is a network validity 



condition. 



4. (Currently amended) The method of claim 1 , wherein the validity condition h & wmpoma* 
v^tHtyxorrdittoit inrinrics a multiple te mporaljijaccifjcation, a multiple network-descriptive 
PppriRftininn, nr n multi ple tempora l sped nation and a multiple network-doscriptivo 
spec ificatio n. 



5-8. (Canceled) 



9. (Original) A method of operating an intrusion detection system according to a set of business 

rules, comprising the steps of: 

aw ai ting an update time of the intrusion detection system; 

responsive to occurrence of an update time, checking validity conditions of the set of 
business rules to determine whether a provision of any of the set of business rules is a newly 
operative provision; 

for each newly operative provision, checking an intrusion set to determine whether the 
newly operative provision applies to the intrusion set; and 

if the new provision applies to the intrusion set, altering die intrusion set according to the 

newly operative provision. 



10-12. (Canceled) 
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13. (Original) The method of claim 9, wherein die step of altering the intrusion set includes the 
step of altering a si gnaturc of the intrusion set. 



14. (Original) The method ofclaim 9, wherein the step of altering the intrusion set includes the 
step of altering a threshold of the intrusion set. 



15. (Original) The method ofclaim 9, wherein the step of altering the intrusion set includes the 
step of alluring an action of the intrusion set. 



16. (Original) The method ofclaim 9, wherein the step of altering the intrusion set includes the 
step of altering a weight of the intrusion set. 



7. (Original) The method ofclaim 9, wherein the update time is a scheduled time. 



IS. (Original) The method ofclaim 9, wherein the update time is one of a plurality of update 



times that occur substantially periodically. 



19. (Original) The method ofclaim 9, wherein the update time is a computed update time. 



20. (Currently amended) The method ofclaim [[9]1 1, wherein the sett* aUeasUDS business 
iule[[s]} merndes consists of exactly one individual business rule. 
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2 1 . (Currently amended) The method of claim [[9]] I, wherein the seHrf aUcasicmc business 
rulers]] rrwhtcretrrr^te insists of a plurality of business rule s. 



22. (New) The method of claim 1, wherein the protected network attachment comprises a 
computer, a server, a workstation, or a combination thereof. 



23. (New) The method of claim 1, wherein the next update time is a scheduled time. 



24. (New) The method of claim 1 , wherein the next update time is one update time of a plurality 
of update times that occur substantially periodically. 



25. (New 



) The method of claim 1, wherein the next update time is a computed update time, 



26. (New) The method of claim 1, wherein the step of altering the intrusion set includes the step 



of altering a signature of the intrusion set. 



27. (New) The method of claim 1, wherein the stop of altering the intrusion set includes the step 



of altering a threshold of the intrusion scL 



28. (New) The method of claim 1, wherein the step of altering the intrusion set includes the step 
of altering an action of the intrusion set. 
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29. (Now) The method of claim 1, wherein the step of altering the intrusion set includes the step 



of altering a weight of the intrusion set. 
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